Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! Spyware Detected On Your Computer!


  • This topic is locked This topic is locked
8 replies to this topic

#1 NetBren

NetBren

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 24 March 2008 - 07:43 PM

So, I share a computer with my family. About a week ago, my desktop background has changed to a blue screen with a yellow warning that says:

Warning!
Spyware detected on your computer!
Install an antivirus or spyware remover to
clean your computer.

After I change my desktop background, it continually loads the annoying blue warning screen again after reboot. Along with this annoyance, I believe two antivirus programs came along with it. I forgot the names of the programs, but I deleted both via "Add/Remove Programs."

Not only that, but I kept receiving the dreaded blue screen of death. My screen would receive the blue death screen whenever I tried to run scans on my computer. I ended up going into safe mode on my computer and running the scans (Ad-Aware, SpyBot S&D, AVG, ZoneAlarm Security Suite, Super AntiSpyware, and even Disk Defragmenter/Cleanup).

After running those scans, I don't receive the blue screen of death much anymore. It blue screened once in the past four days I believe.

However, my desktop background still shows the annoying bright blue warning prompting me to believe there is more that I have not cleaned out yet. So I turn to you guys.

Someone here posted a thread similar to this problem, and I proceeded to follow the instructions, but I believe my case is a bit different somehow.

Here is my HijackThis log:

__________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:59 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brennen Lo\Local Settings\Application Data\spool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brennen Lo\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134293525380
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DDE1718-33C7-4AD1-A2C2-67CCB5792120}: NameServer = 85.255.116.102,85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.102 85.255.112.147
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Schedule - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8034 bytes

________________________________________________________________________________


Along with this HijackThis log, I followed the instructions of someone who helped another with a simliar problem by running a Panda scan. I think that's what it was called. Anyway, here are the results.


Incident																		Status						Location																																																														

Virus:trj/torpig.a															  Disinfected				   Operating system																																																												
Spyware:Cookie/Doubleclick													  Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.doubleclick.net/]																																  
Spyware:Cookie/YieldManager													 Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[ad.yieldmanager.com/]																															   
Spyware:Cookie/Mediaplex														Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.mediaplex.com/]																																	
Spyware:Cookie/YieldManager													 Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[ad.yieldmanager.com/]																															   
Spyware:Cookie/Advertising													  Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.advertising.com/]																																  
Spyware:Cookie/Atlas DMT														Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.atdmt.com/]																																		
Spyware:Cookie/Adrevolver													   Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.adrevolver.com/]																																   
Spyware:Cookie/Apmebf														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.apmebf.com/]																																	   
Spyware:Cookie/FastClick														Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.fastclick.net/]																																	
Spyware:Cookie/QuestionMarket												   Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.questionmarket.com/]																															   
Spyware:Cookie/Tribalfusion													 Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.tribalfusion.com/]																																 
Spyware:Cookie/RealMedia														Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.realmedia.com/]																																	
Spyware:Cookie/Yadro															Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.yadro.ru/]																																		 
Spyware:Cookie/Xiti															 Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.xiti.com/]																																		 
Spyware:Cookie/BurstBeacon													  Not disinfected			   C:\Documents and Settings\Brennen Lo\Application Data\Mozilla\Firefox\Profiles\94jzbyk4.default\cookies.txt[.www.burstbeacon.com/]																															  
Spyware:Cookie/NewMedia														 Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@anm.co[2].txt																																														   
Spyware:Cookie/Atwola														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@atwola[1].txt																																														   
Spyware:Cookie/Ccbill														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@ccbill[1].txt																																														   
Spyware:Cookie/Clickbank														Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@clickbank[2].txt																																														
Spyware:Cookie/Com.com														  Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@com[2].txt																																															  
Spyware:Cookie/did-it														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@did-it[1].txt																																														   
Spyware:Cookie/Enhance														  Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@enhance[1].txt																																														  
Spyware:Cookie/ErrorSafe														Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@errorsafe[1].txt																																														
Spyware:Cookie/Go															   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@go[3].txt																																															   
Spyware:Cookie/MediaTickets													 Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@kinghost[1].txt																																														 
Spyware:Cookie/Systemdoctor													 Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@systemdoctor[1].txt																																													 
Spyware:Cookie/Tucows														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@tucows[1].txt																																														   
Spyware:Cookie/ErrorSafe														Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@www.errorsafe[1].txt																																													
Spyware:Cookie/myaffiliateprogram											   Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@www.myaffiliateprogram[1].txt																																										   
Spyware:Cookie/Yadro															Not disinfected			   C:\Documents and Settings\Brennen Lo\Cookies\brennen lo@yadro[2].txt																																															
Virus:Trj/Downloader.SZW														Disinfected				   C:\Documents and Settings\Brennen Lo\Local Settings\Temporary Internet Files\Content.IE5\A67OPXW5\17PHolmes[1].cmt																																			  
Hacktool:Exploit/iFrame														 Not disinfected			   C:\Documents and Settings\Brennen Lo\Local Settings\Temporary Internet Files\Content.IE5\A67OPXW5\space[1].htm																																				  
Adware:Adware/SpyAway														   Not disinfected			   C:\Documents and Settings\Brennen Lo\Local Settings\Temporary Internet Files\Content.IE5\IP8RETYX\bblatest[1].exe																																			   
Spyware:Cookie/Ccbill														   Not disinfected			   C:\Documents and Settings\Hades\Cookies\hades@ccbill[1].txt																																																	 
Spyware:Cookie/Go															   Not disinfected			   C:\Documents and Settings\Hades\Cookies\hades@go[2].txt																																																		 
Spyware:Cookie/MediaTickets													 Not disinfected			   C:\Documents and Settings\Hades\Cookies\hades@kinghost[2].txt


BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 26 March 2008 - 03:46 PM

Hello NetBren and welcome to the Bleeping Computer forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 NetBren

NetBren
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 26 March 2008 - 05:25 PM

Oh yay! Thank you, Rodav! =]

#4 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 27 March 2008 - 03:47 AM

Step 1:
Please download FixWareout from this site:
http://downloads.subratam.org/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) in your next reply.

Step 2:
In the windows control panel (Start > Control Panel), if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Right-click on your default connection, usually local area connection for cable and dsl, and left click on Properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot your PC if asked.


Step 3:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Step 4:
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Step 5:
Run HijackThis and do a system scan and in your next reply please post:
  • The Fixwareout report (C:\fixWareout\report.txt)
  • The SDFix log (Report.txt)
  • The ComboFix log (C:\ComboFix.txt)
  • The new HijackThis log


#5 NetBren

NetBren
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 27 March 2008 - 02:33 PM

Wow, I am astonished people can actually read these logs. :thumbsup:

Fixwareout

Username "Brennen Lo" - 03/27/2008 10:55:28 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kduff.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.102 85.255.112.147" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7DDE1718-33C7-4AD1-A2C2-67CCB5792120} 
"nameserver"="85.255.116.102,85.255.112.147" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4DF6129C-5E3C-4054-8487-E17D145968F6}
"DhcpNameServer"="85.255.116.102,85.255.112.147" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully. 
 
~~~~~ Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"MAAgent"="C:\\Program Files\\MarkAny\\ContentSafer\\MAAgent.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\system32\\BluetoothAuthorizationAgent.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\ctfmon.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\spool.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\\WINDOWS\\system32\\drivers\\ctfmon.exe"
"autoload"="C:\\Documents and Settings\\Brennen Lo\\Local Settings\\Application Data\\spool.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

SDFix

[b]SDFix: Version 1.162 [/b]

Run by Brennen Lo on Thu 03/27/2008 at 11:48 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Name:
INS62

Path:
\SystemRoot\System32\Drivers\Ins62.sys 

INS62 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

ComboFix

ComboFix 08-03-26.3 - Brennen Lo 2008-03-27 12:09:24.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.267 [GMT -7:00]
Running from: C:\Documents and Settings\Brennen Lo\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\system32\[u]0[/u]00070.exe
C:\WINDOWS\system32\[u]0[/u]00090.exe
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
(((((((((((((((((((((((((   Files Created from 2008-02-27 to 2008-03-27  )))))))))))))))))))))))))))))))
.

2008-03-27 11:57 . 2008-03-27 11:57	269,334	--a------	C:\WINDOWS\system32\kfmdgjid.bmp
2008-03-27 11:57 . 2008-03-27 11:57	5,120	--a------	C:\WINDOWS\system32\ftpdll.dll
2008-03-27 11:57 . 2008-03-27 11:57	5,120	--a------	C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-27 11:57 . 2008-03-27 11:57	5,120	--a------	C:\Documents and Settings\Brennen Lo\ftpdll.dll
2008-03-27 11:43 . 2008-03-27 11:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-03-27 11:39 . 2008-03-27 11:39	48,640	--a------	C:\94.tmp
2008-03-27 11:39 . 2008-03-27 11:39	2	--a------	C:\96.tmp
2008-03-27 11:39 . 2008-03-27 11:39	0	--a------	C:\95.tmp
2008-03-27 11:38 . 2008-03-27 11:54	<DIR>	d--------	C:\SDFix
2008-03-27 11:28 . 2008-03-27 11:28	269,334	--a------	C:\WINDOWS\system32\mlcrapknalcbal.bmp
2008-03-27 11:22 . 2008-03-27 11:22	269,334	--a------	C:\WINDOWS\system32\ojmlgn.bmp
2008-03-27 11:14 . 2008-03-27 11:14	269,334	--a------	C:\WINDOWS\system32\adsjelkbalkrep.bmp
2008-03-27 11:01 . 2008-03-27 11:01	269,334	--a------	C:\WINDOWS\system32\lgfel.bmp
2008-03-27 10:56 . 2008-03-27 10:56	0	--a------	C:\2B.tmp
2008-03-27 10:55 . 2008-03-27 11:00	<DIR>	d--------	C:\fixwareout
2008-03-27 10:47 . 2008-03-27 10:47	269,334	--a------	C:\WINDOWS\system32\tgfqp.bmp
2008-03-26 23:47 . 2008-03-26 23:47	48,640	--a------	C:\8B.tmp
2008-03-26 23:47 . 2008-03-26 23:47	48,640	--a------	C:\8A.tmp
2008-03-26 23:47 . 2008-03-26 23:47	2	--a------	C:\8C.tmp
2008-03-26 23:36 . 2008-03-26 23:36	269,334	--a------	C:\WINDOWS\system32\elgnalkjmh.bmp
2008-03-26 15:34 . 2008-03-26 15:34	269,334	--a------	C:\WINDOWS\system32\bmpofqpor.bmp
2008-03-26 13:01 . 2008-03-26 13:01	269,334	--a------	C:\WINDOWS\system32\tgjmhsfmt.bmp
2008-03-25 09:12 . 2008-03-25 09:12	0	--a------	C:\2A.tmp
2008-03-25 09:12 . 2008-03-25 09:12	0	--a------	C:\29.tmp
2008-03-25 09:11 . 2008-03-25 09:11	48,640	--a------	C:\25.tmp
2008-03-25 09:11 . 2008-03-25 09:11	2	--a------	C:\27.tmp
2008-03-25 09:11 . 2008-03-25 09:11	0	--a------	C:\28.tmp
2008-03-25 09:11 . 2008-03-25 09:11	0	--a------	C:\26.tmp
2008-03-25 08:41 . 2008-03-25 08:41	269,334	--a------	C:\WINDOWS\system32\ralsnqt.bmp
2008-03-24 22:12 . 2008-03-24 22:12	48,640	--a------	C:\23.tmp
2008-03-24 22:12 . 2008-03-24 22:12	48,640	--a------	C:\22.tmp
2008-03-24 22:12 . 2008-03-24 22:12	2	--a------	C:\24.tmp
2008-03-24 22:04 . 2008-03-24 22:04	269,334	--a------	C:\WINDOWS\system32\elcjipgjqtknah.bmp
2008-03-24 22:02 . 2008-03-24 22:02	48,640	--a------	C:\20.tmp
2008-03-24 22:02 . 2008-03-24 22:02	48,640	--a------	C:\1F.tmp
2008-03-24 22:02 . 2008-03-24 22:02	2	--a------	C:\21.tmp
2008-03-24 21:03 . 2008-03-24 21:03	269,334	--a------	C:\WINDOWS\system32\etcfmdknapkred.bmp
2008-03-23 22:29 . 2008-03-23 22:29	48,640	--a------	C:\88.tmp
2008-03-23 22:29 . 2008-03-23 22:29	48,640	--a------	C:\87.tmp
2008-03-23 22:29 . 2008-03-23 22:29	2	--a------	C:\89.tmp
2008-03-23 22:24 . 2008-03-23 22:24	269,334	--a------	C:\WINDOWS\system32\bihojmtoj.bmp
2008-03-23 12:48 . 2008-03-23 12:48	269,334	--a------	C:\WINDOWS\system32\oripcral.bmp
2008-03-22 07:32 . 2008-03-22 07:32	48,640	--a------	C:\85.tmp
2008-03-22 07:32 . 2008-03-22 07:32	48,640	--a------	C:\84.tmp
2008-03-22 07:32 . 2008-03-22 07:32	2	--a------	C:\86.tmp
2008-03-22 07:28 . 2008-03-22 07:28	269,334	--a------	C:\WINDOWS\system32\epsjmd.bmp
2008-03-21 17:17 . 2008-03-21 17:17	269,334	--a------	C:\WINDOWS\system32\torqdcned.bmp
2008-03-21 15:30 . 2008-03-21 15:30	269,334	--a------	C:\WINDOWS\system32\nmtojalsnedkn.bmp
2008-03-20 15:52 . 2008-03-20 15:52	269,334	--a------	C:\WINDOWS\system32\nidcnapojedgb.bmp
2008-03-19 15:39 . 2008-03-19 15:39	269,334	--a------	C:\WINDOWS\system32\gredkj.bmp
2008-03-18 19:49 . 2008-03-24 16:08	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-03-18 19:49 . 2008-03-24 15:38	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-03-18 19:49 . 2008-03-24 15:38	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-03-18 19:49 . 2008-03-24 15:38	1,406	--a------	C:\WINDOWS\system32\Help.ico
2008-03-18 19:46 . 2008-03-18 19:46	<DIR>	d--------	C:\Program Files\Trend Micro
2008-03-18 19:30 . 2008-03-18 19:31	<DIR>	d--------	C:\Program Files\SpywareBlaster
2008-03-18 19:30 . 2008-03-18 19:32	<DIR>	d-a------	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-18 19:17 . 2008-03-18 19:17	269,334	--a------	C:\WINDOWS\system32\ponadcf.bmp
2008-03-18 17:57 . 2008-03-18 17:57	269,334	--a------	C:\WINDOWS\system32\bqtsret.bmp
2008-03-18 17:23 . 2008-03-18 17:23	269,334	--a------	C:\WINDOWS\system32\bilsnep.bmp
2008-03-18 16:25 . 2008-03-18 16:25	269,334	--a------	C:\WINDOWS\system32\jqtoralsfml.bmp
2008-03-18 07:37 . 2008-03-27 11:39	26,624	--a------	C:\WINDOWS\system32\drivers\Ins62.sys
2008-03-18 07:37 . 2008-03-18 16:29	26,624	--a------	C:\WINDOWS\system32\drivers\Ins62(2).sys
2008-03-18 07:37 . 2008-03-27 11:41	10,752	--a------	C:\WINDOWS\system32\WLCtrl32.dll
2008-03-18 07:13 . 2008-03-18 07:13	269,334	--a------	C:\WINDOWS\system32\mtgnehojql.bmp
2008-03-17 18:51 . 2008-03-17 18:51	269,334	--a------	C:\WINDOWS\system32\cnqpkj.bmp
2008-03-17 16:05 . 2008-03-17 16:05	29	--a------	C:\WINDOWS\system32\uifqdfia.tmp
2008-03-17 16:04 . 2008-03-17 16:04	167,936	--a------	C:\WINDOWS\system32\drivers\Vkr38.sys
2008-03-17 16:04 . 2008-03-17 16:04	167,936	--a------	C:\WINDOWS\system32\drivers\grande48.sys
2008-03-17 14:39 . 2008-03-17 14:39	269,334	--a------	C:\WINDOWS\system32\fqpkjel.bmp
2008-03-16 22:00 . 2008-03-16 22:00	269,334	--a------	C:\WINDOWS\system32\fepormlkn.bmp
2008-03-16 19:05 . 2008-03-16 19:05	269,334	--a------	C:\WINDOWS\system32\mhgbadcb.bmp
2008-03-16 18:00 . 2008-03-16 18:00	269,334	--a------	C:\WINDOWS\system32\edkrit.bmp
2008-03-16 17:15 . 2008-03-16 17:15	269,334	--a------	C:\WINDOWS\system32\redsbedcb.bmp
2008-03-16 15:47 . 2008-03-16 15:47	<DIR>	d--------	C:\Documents and Settings\Brennen Lo\Application Data\Anti-Virus-Pro.com
2008-03-16 15:46 . 2008-03-16 16:10	<DIR>	d--------	C:\Program Files\AntiVirusPro
2008-03-16 15:46 . 2008-03-16 15:46	43,928	---hs----	C:\WINDOWS\system32\drivers\ctfmon.exe
2008-03-16 15:46 . 2008-03-16 15:46	18,432	--a------	C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-16 15:46 . 2008-03-16 15:46	16,896	--a------	C:\BjN.exe
2008-03-16 15:43 . 2008-03-16 15:43	<DIR>	d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
2008-03-16 15:42 . 2008-03-16 15:45	<DIR>	d--------	C:\Program Files\Bat
2008-03-16 15:42 . 2008-03-16 15:42	4	--a------	C:\WINDOWS\system32\winfrun32.bin
2008-03-15 15:49 . 2006-03-03 10:02	1,680,896	--a------	C:\WINDOWS\system32\vcl100.bpl
2008-03-15 15:49 . 2006-03-03 10:02	843,264	--a------	C:\WINDOWS\system32\rtl100.bpl
2008-03-15 15:49 . 2006-03-03 10:02	658,432	--a------	C:\WINDOWS\system32\cc3270mt.dll
2008-03-15 15:49 . 2006-03-03 10:02	287,744	--a------	C:\WINDOWS\system32\dbrtl100.bpl
2008-03-15 15:49 . 2006-03-03 10:02	273,920	--a------	C:\WINDOWS\system32\vcldb100.bpl
2008-03-13 22:45 . 2008-03-24 02:20	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-03-13 22:45 . 2008-03-13 22:45	1,409	--a------	C:\WINDOWS\QTFont.for
2008-03-02 01:26 . 2008-03-24 16:11	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2008-03-02 01:26 . 2008-03-02 01:26	<DIR>	d--------	C:\Documents and Settings\Brennen Lo\Application Data\SUPERAntiSpyware.com
2008-03-02 01:26 . 2008-03-02 01:26	<DIR>	d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-02 01:25 . 2008-03-02 01:25	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 18:39	114,612,768	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-27 18:39	1,416,824	--sha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-27 18:26	6,611,968	----a-w	C:\WINDOWS\Internet Logs\xDB88.tmp
2008-03-27 18:26	25,088	----a-w	C:\WINDOWS\Internet Logs\xDB87.tmp
2008-03-27 18:19	22,528	----a-w	C:\WINDOWS\Internet Logs\xDB86.tmp
2008-03-27 18:12	78,848	----a-w	C:\WINDOWS\Internet Logs\xDB85.tmp
2008-03-27 06:34	177,152	----a-w	C:\WINDOWS\Internet Logs\xDB84.tmp
2008-03-26 22:32	193,536	----a-w	C:\WINDOWS\Internet Logs\xDB83.tmp
2008-03-25 15:42	---------	d-----w	C:\Documents and Settings\Brennen Lo\Application Data\AVG7
2008-03-24 05:22	96,256	----a-w	C:\WINDOWS\Internet Logs\xDB82.tmp
2008-03-22 06:21	74,752	----a-w	C:\WINDOWS\Internet Logs\xDB81.tmp
2008-03-22 00:15	34,304	----a-w	C:\WINDOWS\Internet Logs\xDB80.tmp
2008-03-21 06:04	143,360	----a-w	C:\WINDOWS\Internet Logs\xDB7F.tmp
2008-03-20 22:52	20,731,819	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-19 02:15	201,216	----a-w	C:\WINDOWS\Internet Logs\xDB7E.tmp
2008-03-17 14:08	148,992	----a-w	C:\WINDOWS\Internet Logs\xDB7D.tmp
2008-03-16 23:05	25,088	----a-w	C:\WINDOWS\Internet Logs\xDB7C.tmp
2008-03-16 22:56	786,944	----a-w	C:\WINDOWS\Internet Logs\xDB7B.tmp
2008-03-10 14:09	6,501,376	----a-w	C:\WINDOWS\Internet Logs\xDB7A.tmp
2008-02-28 23:57	6,477,312	----a-w	C:\WINDOWS\Internet Logs\xDB79.tmp
2008-02-28 23:57	53,760	----a-w	C:\WINDOWS\Internet Logs\xDB78.tmp
2008-02-27 15:22	2,639,872	----a-w	C:\WINDOWS\Internet Logs\xDB77.tmp
2008-02-20 19:54	---------	d-----w	C:\Program Files\BannedStory
2008-02-06 00:27	---------	d-----w	C:\Program Files\Common Files\INCA Shared
2008-01-21 21:52	253,952	----a-w	C:\WINDOWS\Internet Logs\xDB76.tmp
2008-01-21 04:53	84,480	----a-w	C:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-20 20:56	141,824	----a-w	C:\WINDOWS\Internet Logs\xDB74.tmp
2008-01-20 09:27	80,384	----a-w	C:\WINDOWS\Internet Logs\xDB73.tmp
2008-01-20 02:22	166,912	----a-w	C:\WINDOWS\Internet Logs\xDB72.tmp
2008-01-19 20:04	207,872	----a-w	C:\WINDOWS\Internet Logs\xDB71.tmp
2008-01-18 15:40	145,408	----a-w	C:\WINDOWS\Internet Logs\xDB70.tmp
2008-01-16 15:12	212,480	----a-w	C:\WINDOWS\Internet Logs\xDB6F.tmp
2008-01-14 15:09	128,000	----a-w	C:\WINDOWS\Internet Logs\xDB6E.tmp
2008-01-13 16:53	178,688	----a-w	C:\WINDOWS\Internet Logs\xDB6D.tmp
2008-01-11 08:18	372,224	----a-w	C:\WINDOWS\Internet Logs\xDB6C.tmp
2008-01-08 15:21	51,200	----a-w	C:\WINDOWS\Internet Logs\xDB6B.tmp
2008-01-08 03:44	380,928	----a-w	C:\WINDOWS\Internet Logs\xDB6A.tmp
2007-12-31 21:43	266,752	----a-w	C:\WINDOWS\Internet Logs\xDB69.tmp
2007-12-29 22:13	6,373,888	----a-w	C:\WINDOWS\Internet Logs\xDB68.tmp
2007-12-29 05:59	91,648	----a-w	C:\WINDOWS\Internet Logs\xDB66.tmp
2007-12-29 05:59	6,359,552	----a-w	C:\WINDOWS\Internet Logs\xDB67.tmp
2007-12-27 00:19	62,464	----a-w	C:\WINDOWS\Internet Logs\xDB65.tmp
2007-12-26 11:06	89,088	----a-w	C:\WINDOWS\Internet Logs\xDB64.tmp
2007-12-25 17:35	51,712	----a-w	C:\WINDOWS\Internet Logs\xDB63.tmp
2007-12-25 10:21	76,288	----a-w	C:\WINDOWS\Internet Logs\xDB62.tmp
2007-12-24 09:50	51,712	----a-w	C:\WINDOWS\Internet Logs\xDB61.tmp
2007-12-23 07:19	68,096	----a-w	C:\WINDOWS\Internet Logs\xDB60.tmp
2007-12-22 21:42	1,456,128	----a-w	C:\WINDOWS\Internet Logs\xDB5F.tmp
2007-12-12 08:30	294,912	----a-w	C:\WINDOWS\Internet Logs\xDB5E.tmp
2007-12-10 10:50	1,852,928	----a-w	C:\WINDOWS\Internet Logs\xDB5D.tmp
2007-11-27 00:16	6,236,672	----a-w	C:\WINDOWS\Internet Logs\xDB5C.tmp
2007-11-27 00:16	22,528	----a-w	C:\WINDOWS\Internet Logs\xDB5A.tmp
2007-11-26 07:04	210,432	----a-w	C:\WINDOWS\Internet Logs\xDB59.tmp
2007-11-25 08:59	615,936	----a-w	C:\WINDOWS\Internet Logs\xDB57.tmp
2007-11-25 08:59	6,235,136	----a-w	C:\WINDOWS\Internet Logs\xDB58.tmp
2007-11-22 05:24	6,231,040	----a-w	C:\WINDOWS\Internet Logs\xDB56.tmp
2007-11-22 05:24	27,136	----a-w	C:\WINDOWS\Internet Logs\xDB55.tmp
2007-11-22 05:12	681,472	----a-w	C:\WINDOWS\Internet Logs\xDB54.tmp
2007-11-17 23:10	180,224	----a-w	C:\WINDOWS\Internet Logs\xDB53.tmp
2007-11-16 15:24	362,496	----a-w	C:\WINDOWS\Internet Logs\xDB52.tmp
2007-11-15 15:10	616,960	----a-w	C:\WINDOWS\Internet Logs\xDB51.tmp
2007-11-13 08:09	314,880	----a-w	C:\WINDOWS\Internet Logs\xDB50.tmp
2007-11-12 09:30	73,216	----a-w	C:\WINDOWS\Internet Logs\xDB4F.tmp
2007-11-11 08:14	704,512	----a-w	C:\WINDOWS\Internet Logs\xDB4E.tmp
2007-11-06 14:33	390,656	----a-w	C:\WINDOWS\Internet Logs\xDB4D.tmp
2007-11-04 09:42	321,536	----a-w	C:\WINDOWS\Internet Logs\xDB4C.tmp
2007-11-02 15:25	123,904	----a-w	C:\WINDOWS\Internet Logs\xDB4B.tmp
2007-11-01 08:53	526,336	----a-w	C:\WINDOWS\Internet Logs\xDB4A.tmp
2007-10-29 12:54	121,344	----a-w	C:\WINDOWS\Internet Logs\xDB49.tmp
2007-10-28 00:49	154,624	----a-w	C:\WINDOWS\Internet Logs\xDB48.tmp
2007-10-27 06:39	361,984	----a-w	C:\WINDOWS\Internet Logs\xDB47.tmp
2007-10-21 01:50	90,112	----a-w	C:\WINDOWS\Internet Logs\xDB46.tmp
2007-10-19 14:15	217,088	----a-w	C:\WINDOWS\Internet Logs\xDB45.tmp
2007-10-15 06:28	134,656	----a-w	C:\WINDOWS\Internet Logs\xDB44.tmp
2007-10-13 23:31	6,060,032	----a-w	C:\WINDOWS\Internet Logs\xDB43.tmp
2007-10-13 22:59	62,464	----a-w	C:\WINDOWS\Internet Logs\xDB42.tmp
2007-10-12 06:14	207,360	----a-w	C:\WINDOWS\Internet Logs\xDB41.tmp
2007-10-05 06:14	59,392	----a-w	C:\WINDOWS\Internet Logs\xDB40.tmp
2007-10-02 06:21	788,480	----a-w	C:\WINDOWS\Internet Logs\xDB3F.tmp
2007-09-24 22:37	86,528	----a-w	C:\WINDOWS\Internet Logs\xDB3D.tmp
2007-09-24 22:37	6,002,176	----a-w	C:\WINDOWS\Internet Logs\xDB3E.tmp
2007-09-18 06:18	499,200	----a-w	C:\WINDOWS\Internet Logs\xDB3C.tmp
2007-09-10 06:18	882,688	----a-w	C:\WINDOWS\Internet Logs\xDB3B.tmp
2007-08-13 09:03	613,888	----a-w	C:\WINDOWS\Internet Logs\xDB3A.tmp
2007-08-04 18:29	525,824	----a-w	C:\WINDOWS\Internet Logs\xDB39.tmp
2007-07-28 17:46	149,504	----a-w	C:\WINDOWS\Internet Logs\xDB38.tmp
2007-07-26 23:42	594,432	----a-w	C:\WINDOWS\Internet Logs\xDB37.tmp
2007-07-17 08:25	522,752	----a-w	C:\WINDOWS\Internet Logs\xDB36.tmp
2007-06-27 20:18	289,280	----a-w	C:\WINDOWS\Internet Logs\xDB35.tmp
2007-06-18 03:45	388,608	----a-w	C:\WINDOWS\Internet Logs\xDB34.tmp
2007-06-05 10:15	160,256	----a-w	C:\WINDOWS\Internet Logs\xDB33.tmp
2007-06-01 07:49	138,752	----a-w	C:\WINDOWS\Internet Logs\xDB32.tmp
2007-05-28 20:06	81,408	----a-w	C:\WINDOWS\Internet Logs\xDB31.tmp
2007-05-27 08:26	5,687,808	----a-w	C:\WINDOWS\Internet Logs\xDB30.tmp
2007-05-27 08:26	335,872	----a-w	C:\WINDOWS\Internet Logs\xDB2F.tmp
2007-05-20 11:34	203,776	----a-w	C:\WINDOWS\Internet Logs\xDB2E.tmp
2007-05-13 23:38	22,528	----a-w	C:\WINDOWS\Internet Logs\xDB2D.tmp
2007-05-13 23:28	27,648	----a-w	C:\WINDOWS\Internet Logs\xDB2C.tmp
2007-05-13 08:32	58,880	----a-w	C:\WINDOWS\Internet Logs\xDB2B.tmp
2007-05-12 06:36	60,928	----a-w	C:\WINDOWS\Internet Logs\xDB2A.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 22:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 10:02 124416 C:\WINDOWS\soundman.exe]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2007-08-03 23:17 37376]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2007-08-03 23:17 229376]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-08-03 23:17 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 18:03 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [2008-03-16 15:46 18432]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-22 20:05 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 20:29 219136]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2008-01-20 22:33:30 4638720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-27 11:41 10752 C:\WINDOWS\system32\WLCtrl32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^mobile PhoneTools.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\mobile PhoneTools.lnk
backup=C:\WINDOWS\pss\mobile PhoneTools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Brennen Lo^Start Menu^Programs^Startup^Bat - Auto Update.lnk]
path=C:\Documents and Settings\Brennen Lo\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\WINDOWS\pss\Bat - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
---hs---- 2008-03-16 15:46 48270 C:\Documents and Settings\Brennen Lo\Local Settings\Application Data\spool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Detect Kbd Daemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
C:\Program Files\ErrorSmart\ErrorSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134293029\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd Daemon]
--------- 2002-07-01 18:24 40960 C:\WINDOWS\system32\SKDAEMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2007-08-03 23:17 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-08-03 23:17 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
---hs---- 2008-03-16 15:46 43928 C:\WINDOWS\system32\drivers\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-10 04:06 7311360 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-12-10 04:06 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 04:06 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-22 20:05 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-08-03 23:17 126976 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2007-08-03 23:17 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 17:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-03-28 15:10 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-05-04 08:24]
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2003-07-10 11:09]
S3 DISK_DRIVE32;DISK_DRIVE32;C:\Documents and Settings\Brennen Lo\Desktop\MS H4X\ce\ce\disk_1024.sys []
S3 kaspersky1;kaspersky1;C:\Documents and Settings\Brennen Lo\Desktop\Kaspersky_Engine_3[1].2\kaspersky.sys []
S3 respect1;respect1;C:\Documents and Settings\Brennen Lo\Desktop\MS H4X\Respect89 Engine\respect.sys []
S3 sejt1;sejt1;C:\Documents and Settings\Brennen Lo\Desktop\AkumaEngine33\sejt.sys []
S3 zenx1;zenx1;C:\Documents and Settings\Brennen Lo\Desktop\ZenxEngine GMS v[1].32\ZenxEngine GMS v.32\ZenxEngine_LATEST\ZenxEngine_LATEST\zenx.sys []
S4 Ins62;Ins62;C:\WINDOWS\system32\Drivers\Ins62.sys [2008-03-27 11:39]
S4 Vkr38;Vkr38;C:\WINDOWS\system32\drivers\Vkr38.sys [2008-03-17 16:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 07:00:03 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 16:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 17:00:03 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 18:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 19:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 20:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 21:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 22:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 23:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 00:00:01 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 01:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 08:00:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 02:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 03:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 04:00:01 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 05:00:02 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 06:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 09:00:02 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 10:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 11:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 12:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 13:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-15 14:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\8kL210T1.exe
"2008-03-16 15:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\8kL210T1.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 12:17:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
"ImagePath"="\??\C:\Documents and Settings\Brennen Lo\Desktop\Kaspersky_Engine_3
[1].2\kaspersky.sys"

--
"ImagePath"="\??\C:\Documents and Settings\Brennen Lo\Desktop\ZenxEngine GMS v
[1].32\ZenxEngine GMS v.32\ZenxEngine_LATEST\ZenxEngine_LATEST\zenx.sys"


[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\kaspersky1]
"ImagePath"="\??\C:\Documents and Settings\Brennen Lo\Desktop\Kaspersky_Engine_3

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\zenx1]
"ImagePath"="\??\C:\Documents and Settings\Brennen Lo\Desktop\ZenxEngine GMS v
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
Completion time: 2008-03-27 12:19:29
ComboFix-quarantined-files.txt  2008-03-27 19:19:21
Pre-Run: 2,612,334,592 bytes free
Post-Run: 2,586,042,368 bytes free

NewHijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:11 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\CF9476.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Brennen Lo\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Brennen Lo\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134293525380
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Schedule - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7841 bytes

Thanks in advance for your help!

#6 NetBren

NetBren
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 27 March 2008 - 03:01 PM

Oh, yeah, for Step 2 I forgot to add that I do not have a 'Networking' tab.

I went to Start -> Control Panel -> Network Connections, then right clicked my default (and only) connection "Wireless Network Connection 2" under LAN or High-Speed Internet and there was no Networking tab nor any Internet Protocol TCP/IP business.

#7 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 29 March 2008 - 05:18 AM

Step 1:
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.


Step 2:
The report from SDFix seems incomplete, please navigate to and open C:\SDFix\Report.txt then select all (CTRL A) and copy and paste the report contents into your next reply.



P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Limewire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.

#8 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 02 April 2008 - 11:19 AM

Hi NetBren, do you still need any help?

#9 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 04 April 2008 - 07:33 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users